storj/pkg/peertls/peertls_test.go
2019-04-08 20:15:19 +02:00

317 lines
9.7 KiB
Go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.
package peertls_test
import (
"bytes"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/gob"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/zeebo/errs"
"storj.io/storj/internal/testpeertls"
"storj.io/storj/pkg/peertls"
"storj.io/storj/pkg/peertls/extensions"
"storj.io/storj/pkg/pkcrypto"
"storj.io/storj/pkg/storj"
)
func TestNewCert_CA(t *testing.T) {
caKey, err := pkcrypto.GeneratePrivateKey()
assert.NoError(t, err)
caTemplate, err := peertls.CATemplate()
assert.NoError(t, err)
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
assert.NoError(t, err)
assert.NotEmpty(t, caKey)
assert.NotEmpty(t, caCert)
assert.NotEmpty(t, caCert.PublicKey)
err = caCert.CheckSignatureFrom(caCert)
assert.NoError(t, err)
}
func TestNewCert_Leaf(t *testing.T) {
caKey, err := pkcrypto.GeneratePrivateKey()
assert.NoError(t, err)
caTemplate, err := peertls.CATemplate()
assert.NoError(t, err)
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
assert.NoError(t, err)
leafKey, err := pkcrypto.GeneratePrivateKey()
assert.NoError(t, err)
leafTemplate, err := peertls.LeafTemplate()
assert.NoError(t, err)
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caCert)
assert.NoError(t, err)
assert.NotEmpty(t, caKey)
assert.NotEmpty(t, leafCert)
assert.NotEmpty(t, leafCert.PublicKey)
err = caCert.CheckSignatureFrom(caCert)
assert.NoError(t, err)
err = leafCert.CheckSignatureFrom(caCert)
assert.NoError(t, err)
}
func TestVerifyPeerFunc(t *testing.T) {
_, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
if !assert.NoError(t, err) {
t.FailNow()
}
leafCert, caCert := chain[peertls.LeafIndex], chain[peertls.CAIndex]
testFunc := func(chain [][]byte, parsedChains [][]*x509.Certificate) error {
switch {
case !bytes.Equal(chain[peertls.CAIndex], caCert.Raw):
return errs.New("CA cert doesn't match")
case !bytes.Equal(chain[peertls.LeafIndex], leafCert.Raw):
return errs.New("leaf's CA cert doesn't match")
case !pkcrypto.PublicKeyEqual(leafCert.PublicKey, parsedChains[0][0].PublicKey):
return errs.New("leaf public key doesn't match")
case !bytes.Equal(parsedChains[0][peertls.CAIndex].Raw, caCert.Raw):
return errs.New("parsed CA cert doesn't match")
case !bytes.Equal(parsedChains[0][peertls.LeafIndex].Raw, leafCert.Raw):
return errs.New("parsed leaf cert doesn't match")
}
return nil
}
err = peertls.VerifyPeerFunc(testFunc)([][]byte{leafCert.Raw, caCert.Raw}, nil)
assert.NoError(t, err)
}
func TestVerifyPeerCertChains(t *testing.T) {
keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
if !assert.NoError(t, err) {
t.FailNow()
}
leafKey, leafCert, caCert := keys[peertls.LeafIndex], chain[peertls.LeafIndex], chain[peertls.CAIndex]
err = peertls.VerifyPeerFunc(peertls.VerifyPeerCertChains)([][]byte{leafCert.Raw, caCert.Raw}, nil)
assert.NoError(t, err)
wrongKey, err := pkcrypto.GeneratePrivateKey()
assert.NoError(t, err)
leafCert, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), wrongKey, leafCert, caCert)
assert.NoError(t, err)
err = peertls.VerifyPeerFunc(peertls.VerifyPeerCertChains)([][]byte{leafCert.Raw, caCert.Raw}, nil)
nonTempErr, ok := err.(peertls.NonTemporaryError)
require.True(t, ok)
assert.True(t, peertls.ErrVerifyPeerCert.Has(nonTempErr.Err()))
assert.True(t, peertls.ErrVerifyCertificateChain.Has(nonTempErr.Err()))
}
func TestVerifyCAWhitelist(t *testing.T) {
_, chain2, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
if !assert.NoError(t, err) {
t.FailNow()
}
leafCert, caCert := chain2[0], chain2[1]
t.Run("empty whitelist", func(t *testing.T) {
err = peertls.VerifyPeerFunc(peertls.VerifyCAWhitelist(nil))([][]byte{leafCert.Raw, caCert.Raw}, nil)
assert.NoError(t, err)
})
t.Run("whitelist contains ca", func(t *testing.T) {
err = peertls.VerifyPeerFunc(peertls.VerifyCAWhitelist([]*x509.Certificate{caCert}))([][]byte{leafCert.Raw, caCert.Raw}, nil)
assert.NoError(t, err)
})
_, unrelatedChain, err := testpeertls.NewCertChain(1, storj.LatestIDVersion().Number)
if !assert.NoError(t, err) {
t.FailNow()
}
unrelatedCert := unrelatedChain[0]
t.Run("no valid signed extension, non-empty whitelist", func(t *testing.T) {
err = peertls.VerifyPeerFunc(peertls.VerifyCAWhitelist([]*x509.Certificate{unrelatedCert}))([][]byte{leafCert.Raw, caCert.Raw}, nil)
nonTempErr, ok := err.(peertls.NonTemporaryError)
require.True(t, ok)
assert.True(t, peertls.ErrVerifyCAWhitelist.Has(nonTempErr.Err()))
})
t.Run("last cert in whitelist is signer", func(t *testing.T) {
err = peertls.VerifyPeerFunc(peertls.VerifyCAWhitelist([]*x509.Certificate{unrelatedCert, caCert}))([][]byte{leafCert.Raw, caCert.Raw}, nil)
assert.NoError(t, err)
})
t.Run("first cert in whitelist is signer", func(t *testing.T) {
err = peertls.VerifyPeerFunc(peertls.VerifyCAWhitelist([]*x509.Certificate{caCert, unrelatedCert}))([][]byte{leafCert.Raw, caCert.Raw}, nil)
assert.NoError(t, err)
})
_, chain3, err := testpeertls.NewCertChain(3, storj.LatestIDVersion().Number)
if !assert.NoError(t, err) {
t.FailNow()
}
leaf2Cert, ca2Cert, rootCert := chain3[0], chain3[1], chain3[2]
t.Run("length 3 chain - first cert in whitelist is signer", func(t *testing.T) {
err = peertls.VerifyPeerFunc(peertls.VerifyCAWhitelist([]*x509.Certificate{rootCert, unrelatedCert}))([][]byte{leaf2Cert.Raw, ca2Cert.Raw, unrelatedCert.Raw}, nil)
assert.NoError(t, err)
})
t.Run("length 3 chain - last cert in whitelist is signer", func(t *testing.T) {
err = peertls.VerifyPeerFunc(peertls.VerifyCAWhitelist([]*x509.Certificate{unrelatedCert, rootCert}))([][]byte{leaf2Cert.Raw, ca2Cert.Raw, unrelatedCert.Raw}, nil)
assert.NoError(t, err)
})
}
func TestAddExtraExtension(t *testing.T) {
_, chain, err := testpeertls.NewCertChain(1, storj.LatestIDVersion().Number)
require.NoError(t, err)
cert := chain[0]
extLen := len(cert.Extensions)
randBytes := make([]byte, 10)
_, err = rand.Read(randBytes)
require.NoError(t, err)
if !assert.NoError(t, err) {
t.FailNow()
}
ext := pkix.Extension{
Id: asn1.ObjectIdentifier{2, 999, int(randBytes[0])},
Value: randBytes,
}
err = extensions.AddExtraExtension(cert, ext)
assert.NoError(t, err)
assert.Len(t, cert.ExtraExtensions, 1)
require.Len(t, cert.Extensions, extLen)
assert.Equal(t, ext, cert.ExtraExtensions[0])
}
func TestRevocation_Sign(t *testing.T) {
keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
assert.NoError(t, err)
leafCert, caKey := chain[peertls.LeafIndex], keys[peertls.CAIndex]
leafKeyHash, err := peertls.DoubleSHA256PublicKey(leafCert.PublicKey)
require.NoError(t, err)
rev := extensions.Revocation{
Timestamp: time.Now().Unix(),
KeyHash: make([]byte, len(leafKeyHash)),
}
copy(rev.KeyHash, leafKeyHash[:])
err = rev.Sign(caKey)
assert.NoError(t, err)
assert.NotEmpty(t, rev.Signature)
}
func TestRevocation_Verify(t *testing.T) {
keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
assert.NoError(t, err)
leafCert, caCert, caKey := chain[peertls.LeafIndex], chain[peertls.CAIndex], keys[peertls.CAIndex]
leafKeyHash, err := peertls.DoubleSHA256PublicKey(leafCert.PublicKey)
require.NoError(t, err)
rev := extensions.Revocation{
Timestamp: time.Now().Unix(),
KeyHash: make([]byte, len(leafKeyHash)),
}
copy(rev.KeyHash, leafKeyHash[:])
err = rev.Sign(caKey)
assert.NoError(t, err)
assert.NotEmpty(t, rev.Signature)
err = rev.Verify(caCert)
assert.NoError(t, err)
}
func TestRevocation_Marshal(t *testing.T) {
keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
assert.NoError(t, err)
leafCert, caKey := chain[peertls.LeafIndex], keys[peertls.CAIndex]
leafKeyHash, err := peertls.DoubleSHA256PublicKey(leafCert.PublicKey)
require.NoError(t, err)
rev := extensions.Revocation{
Timestamp: time.Now().Unix(),
KeyHash: make([]byte, len(leafKeyHash)),
}
copy(rev.KeyHash, leafKeyHash[:])
err = rev.Sign(caKey)
assert.NoError(t, err)
assert.NotEmpty(t, rev.Signature)
revBytes, err := rev.Marshal()
assert.NoError(t, err)
assert.NotEmpty(t, revBytes)
decodedRev := new(extensions.Revocation)
decoder := gob.NewDecoder(bytes.NewBuffer(revBytes))
err = decoder.Decode(decodedRev)
assert.NoError(t, err)
assert.Equal(t, rev, *decodedRev)
}
func TestRevocation_Unmarshal(t *testing.T) {
keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
assert.NoError(t, err)
leafCert, caKey := chain[peertls.LeafIndex], keys[peertls.CAIndex]
leafKeyHash, err := peertls.DoubleSHA256PublicKey(leafCert.PublicKey)
require.NoError(t, err)
rev := extensions.Revocation{
Timestamp: time.Now().Unix(),
KeyHash: make([]byte, len(leafKeyHash)),
}
copy(rev.KeyHash, leafKeyHash[:])
err = rev.Sign(caKey)
assert.NoError(t, err)
assert.NotEmpty(t, rev.Signature)
encodedRev := new(bytes.Buffer)
encoder := gob.NewEncoder(encodedRev)
err = encoder.Encode(rev)
assert.NoError(t, err)
unmarshaledRev := new(extensions.Revocation)
err = unmarshaledRev.Unmarshal(encodedRev.Bytes())
assert.NoError(t, err)
assert.NotNil(t, rev)
assert.Equal(t, rev, *unmarshaledRev)
}
func TestNewRevocationExt(t *testing.T) {
keys, chain, err := testpeertls.NewCertChain(2, storj.LatestIDVersion().Number)
assert.NoError(t, err)
ext, err := extensions.NewRevocationExt(keys[peertls.CAIndex], chain[peertls.LeafIndex])
assert.NoError(t, err)
var rev extensions.Revocation
err = rev.Unmarshal(ext.Value)
assert.NoError(t, err)
err = rev.Verify(chain[peertls.CAIndex])
assert.NoError(t, err)
}